Hello
I read your document and I just want to say that I already manage ACR with
multiple clientId to protect encapsulated domains.
For example for an ecommerce site I got a global clientId to allow user to
connect to the site and specific clientId to protect user information like
address or b
Hi Giuseppe,
Asking whether a technology addresses real-world challenges is a fair
question. The point of the current draft is that we have empirical
evidence that X.509-based authentication works well for many cases, given
the very wide usage of things like OpenID Connect Discovery. PIKA seeks
OpenID Discovery already allows this attack. Its security relies on HTTPS,
which only authenticates the domain name. So the owner of a domain can
present a valid discovery document with arbitrary information in it for any
issuer path on the domain.
Do you have the same concern with that mechanis
Hey Richard,
Openid Discovery apparently doesn't get popular in the gov field, or at
least not alone and without some sort of trusted registries.
Openid Connect didn't get wide adoption in the R&E field that is still
using SAML2 with x.509 certificates mixed with a secured metadata exchange
mechan
